In this short blog I will show you how to look into if users are using Multifactor Authentication based on earlier posts on how to monitor and collect logging for your Azure AD.

So first of all – You need to setup Azure AD logging. Have a look at this blogpost to se how easy it is to setup. “Monitor Azure AD”

Then we need to use a query in Log Analytics. You find the latest version on my github or you can copy paste from the code-snippet under.

https://github.com/jurasmus/KQL-AzureAD/blob/main/kql-mfa-usage.kql

SigninLogs
| where TimeGenerated > ago (14d)
| summarize ['Single-factor Auth.']=countif(AuthenticationRequirement == "singleFactorAuthentication"), ['MFA']=countif(AuthenticationRequirement == "multiFactorAuthentication") by bin(TimeGenerated, 1d)
| render timechart with (ytitle="Amount", title="MFA vs non-mfa last 14 days")

This query will give you an output like this when used. You can then use this in your monitoring solution to visualize the usage of MFA.

MFA usage vs Single factor usage